HCISPPHealthCare Information Security

and Privacy Practitioner

2

William “Buddy” Gillespie, HCISPPGlobal Academic Instructor (ISC)²

Former Healthcare CIO

Chair Advocacy Committee, CPAHIMSS budgill@aol.com

@budgill

3

Healthcare Information Security

and Privacy Practitioner (HCISPP)

• Introduction & Background

• HCISPP & (ISC)²

• Why HCISPP and Who?

• Why Get Certified?

• HCISPP Domain(s) Overview

• Exam Overview

• Questions & Discussion

4

Overview

This introductory session to the certification training course for HCISPPs

provides an overview of the course objectives and content.

Take away an overall perspective of the key areas of knowledge consisting of the

six domains which cover:

Healthcare Environment

Regulatory Environment

Privacy and Security in Healthcare

Information Governance and Risk Management

Information Risk Assessment

Third Party Risk Management

Learn that the purpose of the HCISPP certification is to confirm a foundational

level of performance tasks, knowledge, and abilities relating to the security and

privacy of health care information

5

Introduction

The HCISPP Common Book of Knowledge

(CBK) and certification is unique from the

perspective that it is designed to specifically

address the privacy and security of Protected

Health Information (PHI) encompassing both

the regulatory requirements and appropriate

solutions.

6

Introduction

Healthcare Information Security and Privacy Practitioners

(HCISPPs) are at the forefront of protecting patient health

information. These are the practitioners whose foundational

knowledge and experience unite healthcare information

security and privacy best practices and techniques under one

credential to protect organizations and sensitive patient data

against emerging threats and breaches.

Backed by (ISC)², a global not-for-profit organization that

delivers the gold standard for information security

certifications, the HCISPP credential confirms a practitioner’s

core knowledge and experience in security and privacy

controls for personal health information.

7

The HCISPP Certification

• HealthCare Information Security and Privacy

Practitioner (HCISPP)

– Foundational global standard

– Bridging the gap between security and privacy

• Backed by (ISC)² - International Information

Systems Security Certification Consortium

– Global, not for profit, member-driven organization

8

CompTIA

RHIA

HCISPP

HIMSS CAHMS and CPHIMS

CPHIT

9

Salary Survey

(ISC)² Certs Make Top of Cert Mag Salary Survey

With U.S. and world salaries combined from

Certification Magazine’s Salary Survey, (ISC)² certs

have four out of the top five. CSSLP, CAP, HCISPP,

CISSP and concentrations - ISSAP, ISSEP and

ISSMP, all made the list within the top 35.

10

Who is (ISC)²?

• Established in 1989 – Not-for-profit consortium of information

security industry leaders

• Global leaders in certifying and educating information security

professionals throughout their careers

• Offered the first information technology-related credentials to be

accredited to ANSI/ISO/IEC Standard 17024

• Global standard for information security – (ISC)² CBK®, a

compendium of information security topics

• Board of Directors – Top information security leaders worldwide

• Over 100,000 certified professionals in more than 135 countries

• Produce the only Global Information Security Workforce Study

11

Why HCISPP?

• Healthcare sector is one of the largest and fastest growing employers in

the world

• But sector is dealing with increasingly complex Health Information

Technology (HIT) environment

– Massive migration to electronic health records (EHR)

– Mandated exchange of EHR with other health providers

– New security challenges with use of mobile devices, migration to cloud

• Making matters worse: Oversight agencies doling out harsh penalties

for information breaches and failure to maintain “reasonable and

appropriate” safeguards

• Result: Privacy and security of personal health information has become

a globally recognized headline issue and priority

12

Why HCISPP?

• In spite of privacy & security focus: Human error remains largest

contributor to health information breaches!

• Healthcare organization now recognize the criticality of mitigating risk

through improved hiring and training practices to ensure their security

and privacy practitioners are qualified

• This industry needs a credentialing program to validate a practitioner’s

core knowledge, skills, and qualifications to protect and keep secure

vital healthcare information.

HCISPP aims to do just that!

13

Why become an HCISPP?

• Validate your experience, skills, and commitment

to privacy as a healthcare practitioner.

• Demonstrate your qualifications to implement,

manage, or assess the appropriate security and

privacy controls for your healthcare organization.

• Advance your career with the only certification that

establishes your foundational practitioner

knowledge, experience, and competency in health

information security and privacy best practices

14

Who are HCISPPs?

• HCISPPs are the practitioners whose

foundational knowledge and experience unite

healthcare information security and privacy

best practices and techniques under one

credential to protect organizations and

sensitive patient data from emerging threats

and breaches.

15

HCISPP Candidates

• Compliance Officer

• Information Security Manager

• Privacy Officer

• Compliance Auditor

• Risk Analyst

• Medical Records Supervisor

• Information Technology

Manager

• Privacy & Security Consultant

• Health Information Manager

• Business Associates

16

Experience Requirements

• Minimum of two years of cumulative experience in

one domain in the HCISPP CBK. One of the two year

experience requirement must be in healthcare.

• Domain 1: The Healthcare Industry

• Domain 2: Regulatory Environment in Healthcare

• Domain 3: Privacy and Security in Healthcare

• Domain 4: Information Governance and Risk Management

• Domain 5: Information Risk Assessment

• Domain 6: Third Party Risk Assessment

17

Member Benefits

• Continuing Education

• Network with Infosec Experts

• Discounts

• Infosecurity Professional Magazine

• Free Tools and Reports

• Volunteer Opportunities

HCISPP

COMMON BODY OF KNOWLEDGE (CBK)

DOMAIN(S) OVERVIEW

19

HCISPP Six Domains

• Healthcare Industry – understand the diversity of the healthcare

industry; types of technologies & information flows that require

various levels of protection; and how healthcare info is exchanged

• Regulatory Environment – understand relevant legal and regulatory

requirements related to health information, including trans-border

data exchange, to help ensure policies and procedures are

compliant

• Privacy and Security in Healthcare – basic understanding of

security and privacy concepts and principles; relationship of

security and privacy; and types of information requiring protection

20

HCISPP Six Domains

• Information Governance and Risk Management – understand

how organizations manage information risk through governance

• Information Risk Assessment – understand risk assessment

concepts and be able to participate in risk assessment practices

and procedures

• Third Party Risk Management – help manage 3rd party

relationships and determine when additional security & privacy

assurances needed

21

Healthcare Industry Domain

Objectives

• Identify the different types of health care organizations

• Identify the various health care information technologies

• Define the different aspects of health insurance, including

processing claims, coding, billing, and reimbursement

• Describe the regulatory environment with regard to security, privacy,

and oversight

• Explain the processes of clinical research and the requirements for

public health reporting

• Describe the management of health care records

• Identify external third-party requirements

• Explain the Foundational Health Data Management Processes

22

Healthcare Industry Domain

Six Modules

• Types of Organizations in the Health Care Sector

• Health Information Technology (HIT)

• Health Payment Models

• Operations

• External Third Party

• Foundational Health Data Management Processes

23

Regulatory Environment Domain

Objectives

• Identify and interpret all applicable regulations related to

the health care information industry

• Describe the international regulations and controls

pertaining to the health care industry

• Identify policies, procedures, and standards needed for the

internal organization based on new information security and

privacy policies and procedures

• Describe the health care industry compliance frameworks

• Identify the different risk-based decision processes

• Define the health care information industry environment

code of ethics and reasons for compliance

24

Regulatory Environment Domain

Six Modules

• Identify Applicable Regulations

• International Regulations and Controls

• Compare International Practices Against New

Policies and Procedures

• Compliance Frameworks

• Responses for Risk-Based Decision Making

• Understand and Comply with Code of

Ethics/Conduct in a Health Information

Environment

25

Privacy and Security Domain

Objectives

• Describe basic objectives of security based on

confidentiality, integrity, and availability

• Provide definitions and concepts of generally used

security terms

• Describe the general privacy principles as defined

by the health care industry

• Compare and contrast the relationship between

security and privacy

• Define the different categories of sensitive data

26

Privacy and Security Domain

Objectives

• Describe the unrelated nature of health

care data handling implications

• Define terms specific to security and

privacy for the health care industry

27

Privacy and Security Domain

Five Modules

• Security Objectives

• General Security Definitions/Concepts

• General Privacy Principles

• The Relationship Between Privacy and Security

• The Disparate Nature of Sensitive Data and

Handling Implications

28

Information Governance & Risk Domain

Objectives

• Define security and privacy with regard to

information and governance and their structures

• List and describe risk management methodologies

• Describe the risk management life cycle

• Explain the risk management activities that are

specific to the health care industry

29

Information Governance & Risk Domain

Four Modules

• Security and Privacy Governance

• Basic Risk Management Methodology

• Information Risk Management Life Cycles

• Participate in Risk Management Activities

30

Information Risk Assessment Domain

Objectives

• Describe the risk assessment processes,

procedures, and concepts as they relate to the

health care industry

• Use organizational risk frameworks to identify the

control assessment procedures

• Based on the organizational role, participate in the

risk assessment

• Identify ways to mitigate and reduce gaps in

information risk

31

Information Risk Assessment Domain

Four Modules

• Risk Assessment

• Identify Control Assessment Procedures Within

Organizational Risk Frameworks

• Participate in Risk Assessment Consistent with

Role in Organization

• Participate in Efforts to Remediate Gaps

32

Third-Party Risk Management Domain

Objectives• Define what constitutes a third party within the

health care industry

• Define processes for maintaining third-party health

care organizations

• Describe the management standards and best

practices for engaging with third parties in the

health care industry

• Identify the required third-party assessments

• Define the role regarding the supporting activities

for third-party assessments

33

Third-Party Risk Management Domain

Objectives• Identify messaging requirements for responding to

security and privacy incidents

• Describe the connectivity requirements for third

parties

• Describe responsibilities in the promotional

awareness of all third-party requirements

• Identify requirements for participation in

remediation efforts

• Describe the process for responding to third-party

events regarding security and privacy

34

Third-Party Risk Management Domain

Ten Modules

• The Definition of Third Parties in Health Care

Context

• Maintain a List of Third-Party Organizations

• Engaging with Third Parties to Enhance

Compliance

• Determine When Third-Party Assessment Is

Required

• Support Third-Party Assessments and Audits

• Respond to Notifications of Security/Privacy Events

35

Third-Party Risk Management Domain

Ten Modules

• Support Establishment of Third-Party Connectivity

• Promote Awareness of Third-Party Program

Requirements

• Participate in Remediation Efforts

• Respond to Third-Party Requests Regarding

Privacy/Security Events

36

Examples of Healthcare Oversight

Penalties

• In August, 2013, U.S. Health & Human Services (HHS) Office for

Civil Rights (OCR) settled with a New York-based non-profit

managed care plan for $1.2 million after the entity admitted to

inadvertently disclosed PHI of more than 300,000 individuals.

• In March, 2012, a health plan provider in Tennessee agreed to

pay HHS $1.5 million for failure to “implement appropriate

administrative safeguards to adequately protect information.”

Settlement also required the health plan “to review, revise, and

maintain its Privacy and Security policies and procedures, to

conduct regular and robust trainings for all [pertinent]

employees…”

37

Largest HIPAA Settlement to Date

• Two New York-based hospitals paid out $4.8 million to the

U.S. Department of Health and Human Services (HHS)

Office for Civil Rights (OCR) for failing to secure thousands

of patients’ electronic protected health information (ePHI)

held on their network

– Read more on the OCR website

HCISPP EXAM PROCESS & STUDY TIPS

40

Summary of Certification Process

• Obtain the required experience

• Register for 3-day Pre-Cert Prep Course at

Harrisburg University

• Study for the exam

• Register for the exam

• Pass the exam

• Applicant Endorsement Form

• Maintain the certification

41

The HCISPP Exam

• 125 Multiple Choice Questions

– Always provided four possible answer

• Three hours to complete

• Required score of 700 points out of a possible

1000

• Schedule at any Pearson Vue Center worldwide

42

Create a Study Plan

• Set a goal: schedule your exam date

• Attend the Official (ISC)² Prep-Course training at

Harrisburg University – May 16, 17 and 18th

• Read the Official (ISC)² textbook

• Study the HCISPP Flash Cards

• Take advantage of (ISC)²’s free study resources

(exam outline)

43

Official HCISPP (ISC)² Prep-Course

• Up-to-date courseware

• Taught by an authorized (ISC)² GAP instructor

• Student handbook

• Collaboration with classmates

• Real-world learning activities and scenarios

• Interactive and engaging learning techniques

• Fun!

44

3-Day Intensive HCISPP Prep-

Course at Harrisburg University

DATES: May 16-18, 2016

TIME: 8:30 am – 4:30 pm

LOCATION: Harrisburg University, 326 Market Street,

Harrisburg, PA

REGISTRATION: Early-bird rate: $1,500.00 Register

early and save! Valid until April 15, 2016.

Regular rate after April 15: $1,700.00

Registration includes lunch, discount code for the

exam, course materials and practice exam.

Learn more and register online at:

https://professionaled.harrisburgu.edu/healthcare-

information-security-privacy-practitioner-certification-

prep-course/

QUESTIONS?

THANK YOU FOR

ATTENDING!